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Abstract 

Chebyshev polynomials have been recently proposed for designing public-key systems. In- 
deed, they enjoy some nice chaotic properties, which seem to be suitable for use in Cryptography. 
Moreover, they satisfy a semi-group property, which makes possible implementing a trapdoor 
mechanism. In this paper we study a public key cryptosystem based on such polynomials, which 
provides both encryption and digital signature. The cryptosystem works on real numbers and is 
quite efficient. Unfortunately, from our analysis it comes up that it is not secure. We describe 
an attack which permits to recover the corresponding plaintext from a given ciphertext. The 
same attack can be applied to produce forgeries if the cryptosystem is used for signing messages. 
Then, we point out that also other primitives, a Diffie-Hellman like key agreement scheme and 
an authentication scheme, designed along the same lines of the cryptosystem, are not secure due 
to the aforementioned attack. We close the paper by discussing the issues and the possibilities 
of constructing public key cryptosystems on real numbers. 

1 Introduction 

Chaos and Cryptography. The study of chaotic systems and their possible applications to 
Cryptography has received considerable attention during the last years in a part of the scientific 
community. Chaotic systems are indeed characterized by sensitive dependence on initial conditions 
and similarity to random behavior, properties which seem pretty much the same required by several 
cryptographic primitives (see j2U| for a brief overview). 

In fI7j for the first time a symmetric key cryptosystem based on Chaos Theory was presented in 
a well-established cryptographic conference, but it was cryptoanalysed in the same conference 0. 
Another scheme based on chaotic maps was broken in 

Since then Chaos Theory has not received much attention inside the cryptographic community. 
However, it has had several applications in other communication areas and people involved in Chaos 
Theory have been keeping working on the idea of using the properties of chaotic systems in designing 
efficient cryptographic primitives. 

Two main approaches to the use of chaotic systems in designing cryptographic systems can be 
found in the literature. One of these approaches uses hardware-based synchronized chaotic circuits 
|2b | where, in order to encrypt messages, the cleartext is hidden in the spectral domain of the chaotic 
signal. This method is strongly related to the concept of synchronization of two chaotic systems and 
the interested reader can find a survey on the state of art in this field in |19j . 
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The other, still for encryption purposes, has investigated the simulation of chaotic discrete dy- 
namical systems on a computer (see 123 to name few) . 

Many chaotic systems are defined over real numbers. On the other hand. Cryptography deals with 
systems defined mostly on finite fields. This yields some immediate consequences. Some ordinary 
design strategies and standard cryptanalytic methods cannot be applied to cryptosystems based on 
chaotic systems working over real numbers. Just to exemplify, cryptographic systems have secret 
parameters taking values over a large but finite field. Hence, a brute force attack, which simply 
tries all elements of the field in searching the secret values might be infeasible but possible. If the 
range of the parameters of a cryptosystem based on real numbers is a continous infinite interval, an 
exaustive search is just impossible. 

However, at the state of current knowledge, the security of chaos-based cryptosystems defined 
over real numbers is not well understood. 

Public Key Cryptography. Public Key Cryptography enables users who do not share any secret 
key to securely communicate over a public channel. More precisely, in a public key cryptosystem 
every user U has a pair of keys {pu ,su)- The key pu of user U is public and can be used by everybody 
else to send an encrypted message to U. The key su enables to decrypt messages encrypted with key 
Pu, and is kept secret by U. Hence, U is the only user able to decrypt encrypted messages. Roughly 
speaking, the security of a public key cryptosystem, is based on the assumption that computing 
the secret key su given the public key one pij (even if theoretically possible) is computationally 
infeasible. 

From an historical point of view, Diffie and Hellman, with the publication in 1976 of their paper. 
New Directions in Cryptography [13', introduced the idea^ of public key cryptography. Later on, 
Rivest, Shamir and Adlemann, proposed the well-known RSA cryptosystem |30| . which realized such 
an idea. Since then many new cryptosystems have been proposed (see |28l I25| for some relevant 
examples) and, in general, public key cryptography is a well-established and sound field of knowledge. 

The Issue of Security. Two of the top concerns cryptographers have been dealing with since the 
idea of public key cryptography was introduced are what a secure public key cryptosystem is and how 
an efficient one can he constructed. The first received an answer by Goldwasser and Micali in |lf)j . 
where the notion of semantic security (w.r.t passive attacks) was established, and by Rackoff and 
Simon 29 , where adaptively chosen ciphertext attacks were considered. The adversary in the latter 
powerful setting has access to the decryption algorithm and can obtain the plaintexts corresponding 
to ciphertext messages of his own choosing (apart the challenge ciphertext he has to attack). 

However, it turned out to be a difficult task to get an efficient cryptosystem, secure against 
adaptive chosen ciphertext attacks. Several proposals were given along the years. In 1998 Cramer 
and Shoup [TQ gave the first practical and secure public key encryption scheme. We refer the 
interested reader to the journal version of such a paper for details about the cryptosystem 
and for a brief hystorical excursus. 

Standard Model and Random Oracle Model. The methodology usually apphed in Cryp- 
tography in order to show that a given protocol meets certain security requirements is reductionist: 
assuming that for a well-known computational problem there are no efficient (i.e., probabilistic poly- 
nomial time) algorithms, it is shown that an efficient algorithm breaking the security requirements 
of the protocol can be used as a building block for constructing an efficient algorithm for solving the 
supposed to be hard computational problem. In other words, the security of the protocol is reduced 
to the presumed difficulty of a certain computational problem. 

Several currently available public key cryptosystems are defined over finite fields and use modular 
arithmetics. Their security is often based on the presumed difficulty of solving certain number 
theoretic problems, like factoring large composite integers, computing the discrete logarithm in 

'^Even if recently it has been found out that at the GCHQ 1181 the idea of public key had already been proposed 
by the time Diffie and Hellman published their paper but kept secret due to military reasons, it is undoubtly that 1131 
introduced such an idea into the scientific community 
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finite multiplicative groups, deciding quadratic residuosity of an element, computing square roots 
and so on. More precisely, two kinds of proofs of security have been given. The first one are proofs 
in the so called standard models where the security of the scheme is based on standard assumptions, 
like the aforementioned ones. 

The second deal with the so called random oracle model where a sort of idealized model is 
considered, and the scheme is proved secure in such a model. Then, it is argued that if in the real 
world the idealized component (i.e., a random function) is opportunely instanciated (e.g., by means 
of a concrete hash function) the scheme is secure. However, it has been shown that there are schemes 
secure in the random oracle model but insecure in any implementation in the real world |n|- Hence, 
the latter are also considered as "heuristic proofs" of security. 

Empirical Analysis. Several well-known and widely used cryptosystems have not been proven 
secure according to the reductionistic methodology. Formal proofs in the standard model or in the 
random oracle model have not always been found. Such cryptosystems have been considered secure 
when they have been used for a long time and no easy method for breaking them has been discovered. 
Public-key schemes as dynamical system. Since 1976, numerous pubhc-key algorithms have 
been proposed; three most widely used public-key crypto-systems are: RSA, Rabin and ElGamal. 
From a dynamical point of view, all three encryption algorithms, RSA, ElGamal, and Rabin, employ 
one single system: 

X„+i = (A„)P (modiV), (1) 

where X„ is an integer, < A„ < — 1, and, Xq, p and N are properly chosen integers. For 
example, in the ElGamal public-key scheme, one uses where A is a prime, Xq is a generator 
of the multiplicative group of integers modulo A, and 1 < p < A — 2. In the RSA algorithm, 
A = PQ, where P and Q are two random distinct primes, p is an integer 1 < p < cf), where 
(j) = {P — 1)(Q — 1), such that gcd(p, (p) ~ 1, and Xq is the message to be encrypted. Rabin public- 
key encryption scheme uses with p — 2, N — PQ, where P and Q primes both congruent to 
3(mod4), and Xq is the message to be encrypted. All three schemes use the the following property 
of d): 

{XPy =XP'i (modA). (2) 

Recently, several authors have suggested public-key encryption algorithms based on chaotic dynam- 
ical systems, defined on real numbers, for which the property ^ is satisfied. Since in this paper we 
only consider dynamical systems defined over real numbers and enjoying property (0), we refer the 
reader to Section 2 of 24 for a brief overview on some previously proposed public key cryptosystems 
based on different chaotic systems and for some more references to the subject. 

K. Umeno was probably the first author who suggested that a rational map defined by the elliptic 
function, which can be expressed directly by a rational polynomial 31 , can be used in the public- 
key scenario |32) . In |21| the authors proposed a public-key encryption algorithm and a signature 
algorithm, using chaotic Chebyshev polynomials, and suggested an alternative implementation by 
means of some generalised Chebyshev maps (see [HI] and |22|), termed Jacobian Elliptic Chebyshev 
Rational Maps in j22| . 

Our Contribution. We start by analysing the public-key cryptosystem based on Chaos Theory, 
described in (21,, which uses Chebyshev polynomials. We show that such a cryptosystem, even if 
efficient and practical, unfortunately, is not secure. Indeed, we describe an attack that permits to 
recover the corresponding plaintext from a given ciphertext. The same attack can be applied to 
produce forgeries if the cryptosystem is used for signing messages. We also consider a realization 
of the cryptosystem on the Jacobian Elliptic Chebyshev Rational Maps. We show that the attack 
works against this cryptosystem as well. Then, we point out that also other primitives, a Diffie- 
Hellman like key agreement scheme j32| and an authentication scheme (37,, designed along the same 
lines of the cryptosystem, are not secure due to the aforementioned attack. We close the paper by 
discussing the main issues concerning with the design and the implementation of public key systems 
that work on real numbers, summarising our results, and outlining some possible research directions. 
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2 Chebyshev Polynomials 



In this section we briefly describe Chebyshev polynomials, since they represent the cornerstone on 
which the public key cryptosystem, described in |21| . and the authentication scheme, described in 
[37], are built. 



Definition 2.1 Let n he an integer, and let x be a variable taking value over the interval [—1,1]. 
The polynomial Tn{x) : [— 1, 1] — s- [—1,1] is recursively defined as 

Tn{x) = 2 • x • Tn-i{x) - T„_2(a;), for any n>2, 

where Tq(x) — 1 and Ti{x) — x. 

Some examples of Chebyshev polynomials are (see Fig. : 

T2ix) = 2-x^-l 
Ulx) =A-x^ -3-x 
T^lx) = 8- x'^ -8- x^ + 1 




Figure 1: Chebyshev polynomials 



One of the most important properties of Chebyshev polynomials is the so called semi-group property 
which establishes that: 

TriTsix)) =Tr.six). (3) 

An immediate consequence of this property is that Chebyshev polynomials commute under compo- 
sition: 

Tr{Ts{x))^T,{Tr{x)). 
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3 A Cryptosystem based on Chebyshev Polynomials 



A public key cryptosystem based on Chebyshev polynomials was proposed in p,!^ . It can be viewed 
as a generalization of the ElGamal public- key cryptosystem |14| . 

3.1 The Cryptosystem 

The cryptosystem is composed of three algorithms: a Key Generation algorithm, an Encryption 
algorithm, and a Decryption algorithm. 

Key Generation Algorithm. Key Generation takes place in three steps. 

Alice, in order to generate the keys, does the following: 

1. Generates a large integer s. 

2. Selects a random number x G [—1 , 1] and computes Ts{x). 

3. Alice sets her public key to {x, Ts{x)) and her private key to s. 

Encryption Algorithm. Encryption requires five steps: 

Bob, in order to encrypt a message, does the following: 

1. Obtains A/ice's authentic public key {x,Ts{x)). 

2. Represents the message as a number M £ [~1 1]. 

3. Generates a large integer r. 

4. Computes Tr{x), Tr.s{x) = Tr{Ts{x)) and X = M ■ T^.s(x). 

5. Sends the ciphertext C — {Tr{x),X) to Alice. 

Decryption algorithm. Decryption requires two steps: 

Alice, to recover the plaintext Af from the ciphertext C, does the following: 

1. Uses her private key s to compute Ta.r{x) — Ts{Tr{x)). 

2. Recovers M by computing M = X/Ts.r{x). 

3.2 Correctness of the Cryptosystem 

The algorithm is correct due to the semi-group property of the Chebyshev polynomials. Indeed, 
encryption provides: 

X = M-Tr{Ts{x)) 
Since Chebyshev polynomials commute under composition, it follows that: 

X = M-T,{Tr{x)) 

Therefore: 

M = X/T,.r{x) 
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3.3 Implementation 



Both encryption and decryption involve the evaluation of Chebyshev polynomials. If we evaluate 
Chebyshev polynomials directly, applying the recursive definition, then the computation of T„(x) 
takes linear time in n. However, it is possible to further reduce the computation to a logarithmic 
number of steps jl5|. by noticing that 



and re-organizing the computation. More precisely, we can use the recursive relation for evaluating 
Chebyshev polynomials: 



Another important issue that must be considered when implementing the above cryptosystem is 
the finite precision of the arithmetics. In |21| the authors pointed out that the semi-group property 
of Chebyshev polynomials, stated by equation ((^J, holds only if the values s and r, chosen by Alice 
and Bob, are such that s < sq and r < tq, where sq and tq are constant values depending on the 
arithmetics precision used in implementing the encryption and decryption algorithms. They gave 
a table where, for certain precisions, expressed in terms of bits, some possible upper bound for sg 
and To hold. For example, a 2048-bit precision implies constants sq and rp smaller than 2^^°. Such 
upper bounds where empirical determined. No general relation linking the arithmetic precision of 
the operations to the values of sq and ro is currently known. 

4 Security Analysis of the Cryptosystem 

In this section we show that the above cryptosystem is not secure. Given a ciphertext an adversary, 
by exploiting the same definition of Chebyshev polynomials and after some algebra, can recover the 
cleartext. 

In [31] it was presumed to be secure based on the following observation: as pointed out the scheme 
resembles ElGamal encryption scheme. The security of ElGamal encryption scheme is based on the 
intractability of the discrete logarithm problem in Z,*, i.e., given n, x and a;^, find p. In the above 
scheme, given x and Tp(x), the value Tp{x) is the value of a polynomial of order p, not just a power 
x^ . Hence, computing the order of the polynomial p, given only one pair {x^Tp{x)) seems to be much 
harder than computing p from a power. Thus, recovering s given x and Ts{x) seems only possible 
by computing Tp{x) for all p > 2 and, then, comparing for which p the equality Tp{x) = Ts{x) holds. 

Unfortunately, there are some fundamental differences between the two schemes: ElGamal scheme 
is implemented over and uses modular arithmetic. Then, given x and x^ the discrete logarithm 
is uniquely determined while, as we will show later, there are several Chebyshev polynomials passing 
through the same point. 

4.1 How to Recover the Plaintext 

In this section we present an attack which enables an adversary to recover from a given ciphertext 
the corresponding cleartext. 



T2-n{x) 
'2-ri+l(a^) 



T2{Tn{x)), 

2 • Tn+i{x) ■ Tn{x) - X, 



To = l 
Ti = X 
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First of all, we will use the trigonometric functions cos (x) and arccos (x) defined as 

cos : [^1,1] and arccos : [—1,1] [0, tt]. 

The cos (x) function has period 27r. 

Notice that Chebyshev polynomials can be alternatively defined as follows: 

Definition 4.1 Let n be an integer, and let x be a variable taking value over the interval [—1,1]. 
The polynomial Tn{x) : [—1,1]^ [-1; 1] defined as: 

Tn{x) = cos{n ■ arccos(x)). 

A simple trigonometric argument shows that Definition 12. II and Definition 14. II are equivalent. 

Description of tiie Attack. Let {x,Ts{x)) be Alice's public key. In order to encrypt a message 
M, Bob chooses a large integer r and computes: 

Tr{x), Tr.s{x) = Tr{Ts{x)), and X^M- Tr.six) 

Then, he sends the cipher-text C = {Tr{x),X) to Alice. 

Unfortunately an adversary, given Alice's public key {x,Ts(x)) and the ciphertext {Tr{x), X), 
can recover M as follows: 



The adversary, to get the message, does the following: 

1. Computes an r' such that Tr'{x) — Tr{x). 

2. Evaluates Tr's{x) = Tr'{Ts{x)). 

3. Recovers M — „ ^, 



The attack is always successful because, if r ' is such that Tr'{x) = Tr{x), then: 

Tr.six) = Ts.r{x) 

= Ts{Tr{x))^Ts{Tr'ix)) 

= Tr>{Ts{x)). 

Let us show how such an r' can be computed. Let J\f be the set of natural numbers and let Z be 
the set of integers. According to Definition 14. II it holds that Tr{x) = cos(r • arccos(a;)). Let 

^ _ f ± arccos (T^ (x) ) + 2fc7r keZ 
\ arccos (x) 

Notice that some r' belonging to the set V might not be integers. However, the following result 
shows that V contains all possible integers r' defining polynomials Tr'{x) passing through Tr{x). 

Lemma 4.2 For each pair (x, T,.(x)), the integer r' satisfies Tr > (x) — Tr{x) if and only ifr' G VHAf. 

Proof. Let r' eV nJ\f. Assume that 

, arccos (Tr(x)) + 2k' n 

r = 

arccos {x) 
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for a certain k' . By using Definition 14. II it holds that 
Tr' (x) — cos [r' arccos {x) ) 



f arccos {TJx)) + 2k'iT , , 

= cos • arccos (x) 

\ arccos [x) 

— cos (arccos {Tr{x)) + 2fc'7r) 

— cos (arccos (T^ (x) ) ) 
= Tr{x). 

Hence, if r' e V ON, then Tr'{x) — Tr{x). If r' = ~ ^'''''arccQs^fij^^'' a-PPly exactly the same 

argument. 

On the other hand, assume that r,./(x) — Tr{x) for a certain r' £ J\f. Then, 

Tr'{x) — COS (r' arccos (x)) = T^ix). 

Applying the arccos function to both members, we get: 

arccos (cos (r' arccos (x))) ~ arccos (T,.(a;)). (4) 

Let y = arccos (w). Due to the equahty cos (— /3) = cos(/3), for every angle (3, and due to the 
periodicity of the cos function, all angles {3 such that cos (/3) = w are given hy (3 = ±y + 2kTr, for 
k E Z. Therefore, identity Q holds if and only if 

r' arccos (x) = ± arccos {Tr{x)) + 2k' 

where k' £ Z. Dividing both members by arccos (x), we get: 

, ± arccos (TJx)) + 2k'iT 

r = 

arccos (x) 

i.e., r' eV nAf. Thus, the lemma holds. □ 
Using the above result, denoting by 

arccos (Ti,(x)) , , 27r 

a = — — and b = — — (5) 

arccos (x) arccos (x) 

the adversary has to find an integer k € Z and a positive integer u G A/" solutions to one of the two 
equations 

a + k ■ b = u or — a + k ■ b = u (6) 

given a and b. 

Let (a mod 1) and (b mod 1) be the fractional parts of a and b. The actual problem becomes solving 

(a mod I) + k ■ {b mod I) — z 

or 

— {a mod 1) + k ■ (b mod 1) = z. 

How to find fc in a real implementation. Assume that we use a finite precision implementation in base 
B > 2, and that L is the maximum number of digits of (a mod 1) and (5 mod 1). Then, multiplying 
all terms by , we can rewrite the above equations in equivalent form as 

(a mod !)■ B^ + k- {b mod 1) ■ B^ = z ■ B^ 
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and 

-(a mod I)- + k-{b mod 1) ■ ^ z ■ B^ . 

Denoting by a' the integer (a mod 1) • B^ and by b' the integer {b mod 1) • B^, the solutions to the 
above equations are exactly the solutions to the linear modular equations 

b' ■k = a' mod B^ and b' ■ k = ~a' mod B^ . (7) 

However, notice that we can restrict our attention to just one of the above modular equations. 
Indeed, since b' ■ k = —a' mod B^ is equivalent to b' ■ (— fc) = a' mod B^, once we have solved 
b' ■ k = a' mod B^ , we easily derive the solutions to the second one. More precisely, if k is solution 
to 6' • fc = a' mod B^ then B^ - k \s solution to b' ■ k = -a' mod B^ . 

We can get efficiently the set of solutions to linear modular equations of the form b'k = a' mod i?^ 
(see, for example. Chap. 33 of Denoting by < b' >= {b'j mod B^\j e Z^l} the subgroup of 
elements of Z'^l generated by b', it is easy to see that the modular equation has solutions if and 
only if a' S < 6' > . Moreover, denoting by d the gcd(&',i3^), the above membership condition is 
equivalent to d\a' . The set of distinct solutions to b'k = a' mod B^ (if there exist) has cardinality d 
and is given by 

B^ 

Xj = xq + j ■ — — mod i?^, for j = 1, . . . , d — 1, 

d 

where the first solution xq can be obtained directly by applying the Extended Euclidean Algorithm. 
Indeed, such an algorithm, on input {b',B^), outputs a triple {d,s',t') of integers where d = b's' + 
B^t' , and it is easy to check that xo = s'^ is solution to b'k = a' mod i?^. From a computational 
point of view, the above procedure is efficient since the running time of the Extended Euclidean 
Algorithm requires 0(logi3^) steps in the worst case. 

Coming back to our setting, notice that the equations given in (jjj) have solutions by construction. 
More precisely, there are exactly d — gcd(6',i3^) distint solutions for each of them, which can be 
easily found applying the above method. Clearly, just one solution suffices to the adversary's goal. 



4.2 An Example 

We show how an adversary, given Alice's public key {x,Ts{x)) and the ciphertext C — {Tr{x), X), 
where X = AI ■ Trs(x), constructed by Bob in order to send M to Alice, computes the value Trs{x). 
Then, dividing X by Trs{x), he recovers M. 

Let us start by generating Alice's public key parameters. 

Let B = 10, TT = 3.141592654, x = 0.64278761 and s = 106000. Then, arccos (x) = ^tt, and 
Ts{x) — cos (s • arccosz) = cos (106000 • j^t^) = 0.173648178. Hence, Alice's public key is given by 
the pair 

(x^Tsix)) = (0.64278761,0.173648178). 

Assume that Bob, in order to encrypt a message M, chooses r = 81500. Then, 

5 

Tr{x) = cos (r • arccosx) = cos (81500 • — tt) = -0.939692621, 

15 

and 

Tr{T,{x)) = cos(r • arccos(T^(a:))) = cos (81500 • ^tt) = 0.766044443. 

By applying the strategy described before, an adversary computes an r' such that Tr'{Ts{x) = 
Tr{Ts{x)). Since it holds that 

Stt 57r 
arccos (Tr(a;)) = — and arccos(x) = — , 
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the set of possible integer indices r' is given by 

\ , " + I fc e Z ^ = {±3.2 + 7.2fc I fceZ}. 

arccos (x) arccos (x) J 

Hence, the adversary has to find a solution to one of the foUwoing two equations 

3.2 + 7.2ki = ui and - 3.2 + 7 .2k2 = U2- (8) 

where mi, M2 G A/". By considering only the fractional parts, the problem becomes solving one of 

0.2 + 0.2A:i = zi, or - 0.2 + 0.2A;2 = 22 

where zi, Z2 G A/". Since L = 1, then = 10, and the above equations are equivalent to 

2 + 2fci = lOzi and - 2 + 2/s2 = 10z2 

whose solutions are exactly the solutions to the modular equations 

2fc EE 8 mod 10 and 2fc = 2 mod 10. (9) 

Let us consider the first one. This equation has solutions since gcd (2, 10) = 2 and 2|8. Precisely, 
there are 2 solutions, given by fc = 4 + i5, for i = 0, 1, where 4 is the solution xq obtained directly 
by means of the Extended Euclidean Algorithm. By choosing one of them, for example 4, the 
corresponding index r', computed evaluating the first one of is 32. Then, it holds that: 

T32{Ts{x)) = COS (32 • ^tt) = 0.766044443. 

Hence, the adversary has computed Trs{x). The cleartext sent by Bob is computed by the adversary 
as X/T32six). 

For completeness, notice the two solutions to the second equation are {6, 1} and are obtained by 
computing —4 mod 10 and —9 mod 10. By choosing one of them, for example 1, the corresponding 
index r', computed evaluating the second of JHJ is 4. Then, it holds that: 

T4{T,{x)) = cos (4 • ^tt) = 0.766044443. 
9 

Hence, the adversary has computed Trs{x). The cleartext sent by Bob is computed by the adversary 
as X/Tis{x)- 




5 A Cryptosystem based on Jacobian Elliptic Chebyshev Ra- 
tional Maps 

As suggested in |21| . instead of using Chebyshev polynomials, the cryptosystem we have previously 
analised can be also realized by using the Jacobian Elliptic Chebyshev Rational Maps, studied in 
|31| and |22| . In the following subsections we show how to implement such a cryptosystem. Then, 
we show that the attack we have identified for the cryptosystem based on Chebyshev polynomials 
applies to this cryptosystem as well. 
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5.1 Jacobian Elliptic Chebyshev Rational Maps 

The Jacobian Elliptic Chebyshev Rational Maps are rational functions defined as follows |22j: 



Definition 5.1 Let p he a positive integer, let lu G [—1, 1] be a real number, and let k £ [0, 1] be a 
real number called modulus. Jacobian Elliptic Chebyshev Rational Maps are defined by 

where Rq{lo, k) — 1 and Ri{lu, k) — lo. 

Notice that, when the modulus fc = 0, the Jacobian Elliptic Chebyshev Rational Map i?p(w,0) 
is exactly a Chebyshev polynomial, i.e., Rp{uj, 0) = Tp{uj). 

Jacobian Elliptic Chebyshev Rational Maps enjoy the semi-group property. Indeed, for each 
integers r,s > 2, and for each w, fc, it holds that 

Rr{Rs{uJ,k),k) = Rr.s{uj,k). (10) 

Hence, these maps commute under composition, i.e., 

Rr{Rs{^,k),k)=Rs{Rr{^,k),k). 

5.2 The Cryptosystem 

The cryptosystem is composed of three algorithms: a Key Generation algorithm, an Encryption 
algorithm, and a Decryption algorithm. 

Key Generation Algorithm. Key Generation takes place in three steps: 

Alice, in order to generate the keys, does the following: 

1. Generates a large integer s. 

2. Selects two random numbers uj G [—1,1] and fc G [0,1], and computes 

Rs{uJ,k). 

3. Alice sets her public key to (w, fc, Rs{i-o, fc)) and her private key to s. 

Encryption Algorithm. Encryption requires five steps: 

Bob, in order to encrypt a message, does the following: 

1. Obtains Alice's authentic public key (lu, fc, Rs{lli, fc)). 

2. Represents the message as a number A/ G [— 1 , 1]. 

3. Generates a large integer r. 

4. Computes Rr{i^, fc), Rr-s{^, fc) ~ Rr{Rs{^, fc), fc), and X = M ■ fc). 

5. Sends the ciphertext C = {Rr{io, k),X) to Alice. 



Decryption Algorithm. Decryption requires two steps: 
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Alice, to recover the plaintext Af from the ciphertext C, does the following: 

1. Uses her private key s to compute R^.r^Lu, k) = Rg{Rr{uj, fc), k). 

2. Recovers M by computing M = X/Rs-riuj, k). 



Notice that, the value of k, which defines the form of the map, could be the same for all users of 
the system. 

5.3 Correctness of the Cryptosystem 

The cryptosystem is correct due to the semi-group property of the Jacobian Elliptic Chebyshev 
Rational Maps. Indeed, encryption provides: 

X = M ■ Rr{Rs{io,k),k) 

Since the maps commute under composition, it follows that: 

X = M ■ R,{Rr{uj,k),k). 

Therefore: 

M = X/Rs.r(uj,k). 

5.4 Jacobian Elliptic Functions and Jacobian Elliptic Chebyshev Rational 
Maps 

Jacobian elliptic Chebyshev rational maps can be equivalently defined by means of the Jacobian 
elliptic functions j22j . 

Let Lj e [— 1, 1], let fc e [0, 1], and let </? G [0, 27r] be the angle, referred to as the amplitude of w, 
defined by 

de 

(l-fc2.sin^(6l))5' 

Then, the Jacobian elliptic functions sn{uj, k) and cn{uj, k) are defined as follows: 

sn{uj, k) = sin((^) and cn{ijj, k) = cos{ip). 

Let k' = \/l — k'^. The above functions are doubly-periodic, having a real period and an imaginary 
one. More precisely, denoting by 

and iK iT 
(l-fc2.sin2(6'))^ io (l-fc'2 .sin2(6'))^ 

where i is the imaginary unit, wc get that sn{uj, k) has periods AK and 2iK ; while cn(uj, k) has 
periods AK and 2K + 2iK . We restrict our attention to the real periodicity. 

For any fixed fc, the function cn~^(v,k), inverse of the Jacobian elliptic function cn(uj,k), rela- 
tively to the interval [0, 2K], is given by: 

Jo (1 - fc2 sm"^ (6'))2 

where ip = arccos(u). 

Then, we can state the following alternative definition for the Jacobian elliptic Chebyshev rational 
maps: 
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Definition 5.2 Let p > 2 be an integer, let k G [0, 1] be a real number, and let lu G [—1, 1]. The 
Jacobian elliptic Chebyshev rational maps with modulus k are defined by 

Rp{LO,k) = cn{p ■ cn~^{uj,k),k). 

5.5 Efficient Computation of cn{uj,k), sn{uj,k), and cn^^{v,k), 

The functions cniuj^k), sn(uj,k), and cn^^{v,k), all defined in terms of elliptic integrals, can be 
efficiently computed by means of the Arithmetic- Geometric Method, (A.G.M. method, for short). 
Roughly speaking, such a method works as follows: starting with {ao,bo), it proceeds to determine 
number triples 

(ai, 5i, ci), (a2, 62, C2), . . . , (a„, 6„, c„) 
according to the following scheme of arithmetic and geometric mean: 

flj+i ^ ^(flj + bj) bj+i ^ {oj ■ and Cj+i ^ ^{a^ - bj). 

Assume that we use an arithmetic in base B with iV-digit precision of the operations. The 
procedure stops at the n-th step when a„ = &„, i.e., when c„ ~ 0. Notice that such an equality 
is achieved when the relative error e„ = 1 — ^ is less than the degree of accurancy fixed by the 
implementation i.e., . It has been estimated (see, for example |33|) that the relative error 

= 1 — ^ decays approximatively as ~ from which it easily follows that the method 

converges after roughly logiV steps. 

To compute the functions cn{uj, k) and sn{u), k), we apply the A.G.M method starting with qq = 
1, and bo = k' . Once the A.G.M method stops, we compute the angle (in degrees) = 2"a„a;-'^. 
Then, applying, for j = n, . . . ,1, the recurrence relation sin (2(/)j-i — (pj) — — siiKpj, we compute 
the angles 0„_i, 0„_2, . . . , 0o- Finally, 

sn{u!, k) = sin 00 and cn{uj, k) ~ coscj)^. 

On the other hand, to evaluate cn~^{v, k), for j — 0, . . . , n— 1, by applying the recurrence relation 
tan (7j+i ^ 7j) — ^ tan7j, where 70 — ^p, we compute the angles 71, . . . , 7„, and then 

-1/ 1 \ In 

en (v, k) — . 

Notice that the quarter-period K can be easily computed as well, since it is a special case of the 
computation of cn{Lo, k) (just set the angle (p = tt/2). The reader is referred to [Tl for further details 
on the A.G.M method, and on the computation of sn{uj, k), cn(uj, k), and cn~^(v, k). Moreover, an 
efficient implementation of the above functions can be found in (54] . 

6 Security Analysis of the Cryptosystem 

Apart the complexity of the mathematical objects we are dealing with, the attack we have applied 
against the public key scheme based on Chebyshev polynomials still works against the cryptosystem 
based on Jacobian elliptic Chebyshev rational maps. 

6.1 How to Recover the Plaintext 

Let {lu, k, Rs{u!, k)) be Alice's public key. In order to encrypt a message M, Bob chooses a large 
integer r and computes: 

Rr{u},k), Rr.s{u}, k) ^ Rr{Rs{uJ,k),k), aad X = M ■ Rr.s{oj,k) 
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Then, he sends the ciphertext C = {Rr{uj, k), X) to Ahce. 

Unfortunately an adversary, given Ahce's pubhc key {uj,k, Rg{ijj,k)) and the ciphertext C = 
{RrioJ, k), X), can recover M as fohows: 



The adversary, to get the message, does the fohowing: 



1. Computes an r' 



•' such that Rr'{iLJ, k) — Rrii^J, k). 



2. Evaluates Rr's{t^,k) — Rr'{Rs{i^,k),k). 



3. Recovers M ~ 



X 



The attack is always successful because, if r' is such that Rr>{uj, k) — Rri^j, k), then: 



Rr-si^, k) = Rs.r{l^, k) — Rs{Rr{u>, k),k) — Rs{Rr'{u>, k), k) 
= Rs-r'i^^, k) = Rr'.s{uJ, k) = Rr'{Rs{t^, k) , k). 



Let us show how such an r' can be computed. According to Definition 15.21 it holds 



Rr{w, k) 



cn(r ■ cn ^{uo, k), k). 



Hence, applying the cn ^ function to both members of the equality, and using the periodicity of 
cn^Lu, k) and the property cn{uj, k) = cn(— w, fc), we get that 



for z £ Z. Notice that we are only considering the real periodicity, since we are not interested in 
imaginary solutions. Let 



We can show that V contains all possible integers r' defining maps Rr'{w,k) passing through 
Rr{uj,k), for certain r, w, and k. The proof proceeds along the same lines of the proof provided 
for Lemma 1. We omit it since it is essentially the same. 



Lemma 6.1 For each triple (cj, fc, Rri^o, k)), the integer r' satisfies Rr'iuj, k) = Rr{uj^ k) if and only 
ifr'eVnAf. 



polynomials. Hence, an adversary can recover the plaintext from the ciphertext. 
6.2 An Example 

We show how an adversary, given Alice's public key {us, k, Rs{uj, k)) and the ciphertext C = 
{Rr{uj, k), X), where X = M ■ Rrs{(^,k), constructed by Bob in order to send M to Alice, com- 
putes the value Rrs{i-o, k). Then, dividing X by Rrs{uj, fc), he recovers M. 
Let us start by generating Alice's public key parameters. 



Let B = 10, uj = 0.435946, /c = 0.3, and s = 2342. Then, cn{s ■ cn-^{uj,k),k) = 

0.245756. Hence, Alice's public key is given by the triple 



±cn '^{{Rriuj,k),k) + z ■ 4K = r ■ cn fc). 





{uj,k,R,{uj,k)) = (0.435946,0.3,0.245756). 
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Assume that Bob, in order to encrypt a message M, chooses r — 1876. Then, 

Rr{uj, k) = cn{r ■ cn~^{uj, k), k) = -0.938538 

and 

Rr{Rs{i^,k),k) ^ cn{r ■ cn-'\Rs{uj,k),k),k) = 0.613408. 

By applying the strategy described in Subsection 6.1, an adversary computes an r' such that 
Rr'{Rs{oJ, k),k) — Rr{Rs{oj, k),k). The set of possible integer indices r' is given by 

Hence, the adversary has to find a solution to one of the foUwoing two equations 

2.6 + 5.8/ci = ui and - 2.6 + 5.8/c2 = U2. (11) 

where mi,M2 G A/". By considering only the fractional parts, the problem becomes solving one of 

0.6 + O.Ski = zi, or - 0.6 + 0.8A:2 = ^2 

where zi, Z2 £ M . Since L = 1, then = 10, and the above equations are equivalent to 

6 + 8fci = lOzi and - 6 + 8/s2 = 10z2 

whose solutions are exactly the solutions to the modular equations 

8fc = 4 mod 10 and 8fc = 6 mod 10. (12) 

Let us consider the first one. This equation has solutions since gcd(8, 10) — 2 and 2|4. Precisely, 
there are 2 solutions, given by fc = 3 + i5, for i = 0, 1, where 3 is the solution xo obtained directly 
by means of the Extended Euclidean Algorithm. By choosing one of them, for example 3, the 
corresponding index r', computed evaluating the first one of (ini is 20. Then, it holds that: 

i?2o(i?s(w,fc),fc) = cn{2{)- cn-^{Rs{uj,k),k),k) = 0.613408. 

Hence, the adversary has computed Rrsi^o, k). The cleartext sent by Bob is computed by the adver- 
sary as A/i?20s(^^, k). 

7 Key Agreement by using Rational Maps 

Rational maps enjoying the semi-group property can be also used to design a Diffie-Hellman like key 
agreement scheme. Umeno was the first author who suggested such a method. 
Let us briefiy recall the following definitions, given in |25j . 

Definition 7.1 Key establishment is any process whereby a shared secret key becomes available to 
two or more parties, for subsequent cryptographic use. 

Definition 7.2 A key agreement protocol or mechanism is a key establishment technique in which 
a shared secret is derived by two or more parties as a function of information contributed by, or 
associated with, each of these, ideally such that no party can predetermine the resulting value. 
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Let us look at the following key agreement protocol: 

Let X be a public real value, and let F{-, •) be a rational map enjoying the semi-group property, i.e., 
Fip,F{q,X)) = F{pq,X). 



Bob, in order to agree on a common key with Alice, does the following: 

1. Generates a large integer p. 

2. Computes Y = F{p,X). 

3. Sends Y to Alice. 

Alice, in order to agree on a common key with Bob, does the following: 

1. Generates a large integer q. 

2. Computes Y' = F{q,X). 

3. Sends Y' to Bob. 

Then, Alice and Bob compute the common value 

Z = F{q, Y) = F{q, F(p, X)) = F{p, F{q, X)) = F{p, Y). 



It is easy to check that if the rational map used in the above scheme is a Chebyshev Polynomial 
or a Jacobian Elliptic Chebyshev Rational map then, since X is public and F{p, X) and F{q, X) are 
sent in clear over the channel, an adversary who taps the channel, with no knowledge of the secret 
values p and q, can employ the same attack we have described before for the public-key cryptosystem, 
and compute the common key. 

8 Entity Authentication based on Chebyshev Polynomials 

Chebyshev Polynomials have also been used to design an authentication scheme. Entity authenti- 
cation is defined as follows |2S|: 

Definition 8.1 Entity authentication is the process whereby one party is assured (through acqui- 
sition of corroborative evidence) of the identity of a second party involved in a protocol, and that 
the second has actually participated (i.e., is active at, or immediately prior to, the time evidence is 
acquired). 

In j37| a scheme based on Chebyshev Polynomials, by means of which a user can efficiently 
authenticate himself to a server in order to log in, was proposed. It strongly resembles the public 
key cryptosystem described in |21| . Apart minor implementation details, the scheme works as follows: 

Let m £ [—1, 1] be a real value, and denote by T^{-) the map Ts{-) iterated i times, i.e., T^{-) = 

r,(r,(r,...r,(.))...) = T,.(.). 
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Setup Phase - Server Side 

1. The server generates a random number r. 

2. Computes and sends Tr{m) to the user. 
Setup Phase - User Side 

1. The user chooses a random number s. 
i-th Authentication Phase 

1. The user computes Tl(rn), and auth = T^{Tr{m)), and sends both values to 
the server. 

2. The server computes auth = Tr{Tl{m)) and checks whether auth = auth . 
Then, if the check is satisfied, the access is granted. 



It is easy to see that, if m and Tj.(m) are public, an adversary who gets the messages associated 
with the first log in request, can apply the same attack we have described before in order to get 
an integer s' such that Ts'{m) = Ts{m). Then, at the i-th session, he can authenticate himself as 
the real user by computing T^,{m), and auth = T^,{Tr{m)). Indeed, it is easy to show, arguing by 
induction on i, that T*,(m) = Tl{m). Therefore, it holds that 

auth = Tl,{Tr{m)) = Tr{Tl,{m)) ^ Tr{Tl{m)) = Tl{Tr{m)) = auth . 

Thus, the scheme is not secure. One way to avoid the above attack is to make m and Tr(ni) private 
to the user and the server. Unfortunately, the scheme is not secure even ifm and Tr{rn) are private. 
Indeed, even in this scenario, an adversary with no knowledge of the private values m and Tr{m), who 
just listen to two consecutive authentication phases, can subsequently authenticate himself to the 
server as it were the real user. More precisely, assume that the adversary gets T*~^(m), rj~^(Tj.(m)) 
and Tl{m),Tl{Tr{m)). Then, the attack works as follows: 



The adversary does the following: 

1. Computes an integer w such that T^{Tl^^{m)) = Tl{m). 

2. For any ^ > 1, to autheticate himself at the (i + £)-th session, 

(a) Computes 

Ti+\m) = Ti{Ti{m)) and auth = Ti+\Tr{m)) = Ti,{Ti{T,{m))). 

(b) Sends the pair {T*+^{m),auth). 

Notice that the adversary does not need to know the index i of the session. He just needs two 
consecutive authentication messages. 

In order to understand why the attack works, notice that an integer w such that T-u,{Tgi-i (m)) = 
Tgi (m) can be computed by applying the same attack we have described before against the cryp- 
tosystcm. Then, we can proceed by induction on £ to show that T*+^(m) = T^{Tg{mj) and 
auth = T^+\Trim)) = TiiT^iTrim))). 

Let £ = 1. It is easy to see that 

T/+i(m) = T,(T,.(m)) = Ts{TUT,.-i{m))) = T^{T,{T,.-.{m))) = T™(T,.(m)). 
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Then, notice that T^{T,^-l{Tr{m))) = T,.{Tr{m)). Indeed, 

TwiTs,-i{Tr.{m))) =T^{Tr{Ts,-i{m))) ^ Tr{T^{Tsi-i{m))) ^Tr{Ts,{m)) = Tsi{Tr{m)). 
Therefore, 

r;'+i(r,(m)) = T,{TATr{m))) = T,{T^{T,.-^{Tr{m)))) = T„(r,(r,.-i (T.M)) = r„(T,.(T,(m))). 
Assume that 

= T^(e-i){Tsi{m)) and r^.+(*-i) (T^(m)) = T^(t-i){T^,{Tr{m))). 

By applying the inductive hypothesis, it holds that 

Tsi+i{m) = Ts{T^i+(i~i){m)) = Ts{T^(t-i){Ts.{m))) = Ts{T^(i-i){Tw{Tsi-i{m)))) = T^i{Tsi{m)), 
and 

T,.+.(T,(m)) =T,(T,,+(^-i)(T,(to))) = T,(T^(.-i,(T,,(T,(m)))) 

= T,(T^(.-i,(T^(T,,-i(T,(m))))) 

Thus, the attack works. 

9 Public Key Cryptosy stems on Real Numbers 

Currently used public key cryptosystems are defined over finite fields and use modular arithmetics. 
Their security is often based on the difficulty of solving certain number theoretic problems, such as 
factoring large composite integers, computing the discrete logarithm in finite multiplicative groups, 
deciding quadratic residuosity, computing square roots, and so on. In other words, they are designed 
in such a way that the cryptosystem can be broken if the presumed underlying difficult problem 
becomes easy to solve. At the moment, this method cannot be applied to realize chaos-based 
cryptosystems, since they are defined over real numbers. 

Certainly two important issues must be solved in order to design a secure public key cryptosystem 
based on real numbers. In order to apply a reductionistic approach, some presumed difficult problem 
over the field of real numbers which permits implementing some one-way trapdoor function or 
permutation should be identified. Moreover, as the above attack in a certain way points out, the 
finite representation of real numbers in a computer with finite memory and the finite precision of the 
operations, performed by such a machine, deserve an in-depth study in order to well understand the 
implications in terms of security they give rise to. Paradoxically, it might also exist a good technique 
for implementing a secure cryptosystem over the infinite field of real numbers which turns out to be 
insecure for any finite implementation over a finite computer using a finite arithmetic precision. 

Some studies dealing with the possibility of cryptographic primitives over nonclassical computa- 
tional models have already been done. For example, in Q, the possibility of secret sharing schemes 
I27| over infinite countable domains, like the set of all binary strings, was studied. It was shown 
that no such a scheme exist. Later on, in the case of private computations over the integers 
was studied, and it was shown that some lower bounds that hold in the finite case do not extend to 
infinite domains. Recently, in 3(T, Cryptography over the infinite field of rational numbers, giving 
all parties unbounded computational power, has been considered. Under the assumption that users 
can sample random real numbers, and that standard field operations can be used, it turned out 
that secure signature and secure encryption do not exist. As well as, Diffie-Hellman key exchange, 
oblivious transfer, and interactive encryption. 
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10 Conclusions and Open Problems 



In this paper we have analysed a public key cryptosystem based on Chebyshev polynomials. Unfor- 
tunately, even if it is efficient and based on a fascinating and elegant idea, we have shown that it 
is not secure, since an adversary can efficiently recover the plaintext from a given ciphertext. The 
proposed cryptosystem can be implemented by using any chaotic map Xn+i = Fp{xn) for which 
F can be written as Fp{x) = f{p- f~^{x)), and such that Fp{Fs{x)) = Fp.s{x), i.e., it enjoys the 
semi-group property. Jacobian Elliptic Chebyshev Rational Maps represent another class of maps 
enjoying such a property. We have shown that the attack described in Section 5 can still be applied 
if these maps are used. Moreover, we have analysed a Diffie-Hellman like key agreement scheme 
based on rational maps and we have pointed out that if Jacobian Elliptic Chebyshev Rational Maps 
are used, then the scheme is not secure, in the sense that a passive adversary can compute the 
common key. Finally, we have also shown that a recently proposed authentication scheme, designed 
along the same lines of the public key cryptosystem, is still subject to our attack and, hence, it is 
not secure. The attack we have described works in every case in which the maps Fp{x) enjoy the 
semi-group property, and given x and Fp{x), it can be efficiently computed an integer solution p' 
to the equation Fpi(x) = Fp(x). However, a detailed study of new implementations as well as the 
design and investigation of other chaos-based public key systems are interesting topics for future 
researches. 
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